1*62c56f98SSadaf Ebrahimi /** 2*62c56f98SSadaf Ebrahimi * \file hkdf.h 3*62c56f98SSadaf Ebrahimi * 4*62c56f98SSadaf Ebrahimi * \brief This file contains the HKDF interface. 5*62c56f98SSadaf Ebrahimi * 6*62c56f98SSadaf Ebrahimi * The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is 7*62c56f98SSadaf Ebrahimi * specified by RFC 5869. 8*62c56f98SSadaf Ebrahimi */ 9*62c56f98SSadaf Ebrahimi /* 10*62c56f98SSadaf Ebrahimi * Copyright The Mbed TLS Contributors 11*62c56f98SSadaf Ebrahimi * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 12*62c56f98SSadaf Ebrahimi */ 13*62c56f98SSadaf Ebrahimi #ifndef MBEDTLS_HKDF_H 14*62c56f98SSadaf Ebrahimi #define MBEDTLS_HKDF_H 15*62c56f98SSadaf Ebrahimi 16*62c56f98SSadaf Ebrahimi #include "mbedtls/build_info.h" 17*62c56f98SSadaf Ebrahimi 18*62c56f98SSadaf Ebrahimi #include "mbedtls/md.h" 19*62c56f98SSadaf Ebrahimi 20*62c56f98SSadaf Ebrahimi /** 21*62c56f98SSadaf Ebrahimi * \name HKDF Error codes 22*62c56f98SSadaf Ebrahimi * \{ 23*62c56f98SSadaf Ebrahimi */ 24*62c56f98SSadaf Ebrahimi /** Bad input parameters to function. */ 25*62c56f98SSadaf Ebrahimi #define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA -0x5F80 26*62c56f98SSadaf Ebrahimi /** \} name */ 27*62c56f98SSadaf Ebrahimi 28*62c56f98SSadaf Ebrahimi #ifdef __cplusplus 29*62c56f98SSadaf Ebrahimi extern "C" { 30*62c56f98SSadaf Ebrahimi #endif 31*62c56f98SSadaf Ebrahimi 32*62c56f98SSadaf Ebrahimi /** 33*62c56f98SSadaf Ebrahimi * \brief This is the HMAC-based Extract-and-Expand Key Derivation Function 34*62c56f98SSadaf Ebrahimi * (HKDF). 35*62c56f98SSadaf Ebrahimi * 36*62c56f98SSadaf Ebrahimi * \param md A hash function; md.size denotes the length of the hash 37*62c56f98SSadaf Ebrahimi * function output in bytes. 38*62c56f98SSadaf Ebrahimi * \param salt An optional salt value (a non-secret random value); 39*62c56f98SSadaf Ebrahimi * if the salt is not provided, a string of all zeros of 40*62c56f98SSadaf Ebrahimi * md.size length is used as the salt. 41*62c56f98SSadaf Ebrahimi * \param salt_len The length in bytes of the optional \p salt. 42*62c56f98SSadaf Ebrahimi * \param ikm The input keying material. 43*62c56f98SSadaf Ebrahimi * \param ikm_len The length in bytes of \p ikm. 44*62c56f98SSadaf Ebrahimi * \param info An optional context and application specific information 45*62c56f98SSadaf Ebrahimi * string. This can be a zero-length string. 46*62c56f98SSadaf Ebrahimi * \param info_len The length of \p info in bytes. 47*62c56f98SSadaf Ebrahimi * \param okm The output keying material of \p okm_len bytes. 48*62c56f98SSadaf Ebrahimi * \param okm_len The length of the output keying material in bytes. This 49*62c56f98SSadaf Ebrahimi * must be less than or equal to 255 * md.size bytes. 50*62c56f98SSadaf Ebrahimi * 51*62c56f98SSadaf Ebrahimi * \return 0 on success. 52*62c56f98SSadaf Ebrahimi * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid. 53*62c56f98SSadaf Ebrahimi * \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying 54*62c56f98SSadaf Ebrahimi * MD layer. 55*62c56f98SSadaf Ebrahimi */ 56*62c56f98SSadaf Ebrahimi int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt, 57*62c56f98SSadaf Ebrahimi size_t salt_len, const unsigned char *ikm, size_t ikm_len, 58*62c56f98SSadaf Ebrahimi const unsigned char *info, size_t info_len, 59*62c56f98SSadaf Ebrahimi unsigned char *okm, size_t okm_len); 60*62c56f98SSadaf Ebrahimi 61*62c56f98SSadaf Ebrahimi /** 62*62c56f98SSadaf Ebrahimi * \brief Take the input keying material \p ikm and extract from it a 63*62c56f98SSadaf Ebrahimi * fixed-length pseudorandom key \p prk. 64*62c56f98SSadaf Ebrahimi * 65*62c56f98SSadaf Ebrahimi * \warning This function should only be used if the security of it has been 66*62c56f98SSadaf Ebrahimi * studied and established in that particular context (eg. TLS 1.3 67*62c56f98SSadaf Ebrahimi * key schedule). For standard HKDF security guarantees use 68*62c56f98SSadaf Ebrahimi * \c mbedtls_hkdf instead. 69*62c56f98SSadaf Ebrahimi * 70*62c56f98SSadaf Ebrahimi * \param md A hash function; md.size denotes the length of the 71*62c56f98SSadaf Ebrahimi * hash function output in bytes. 72*62c56f98SSadaf Ebrahimi * \param salt An optional salt value (a non-secret random value); 73*62c56f98SSadaf Ebrahimi * if the salt is not provided, a string of all zeros 74*62c56f98SSadaf Ebrahimi * of md.size length is used as the salt. 75*62c56f98SSadaf Ebrahimi * \param salt_len The length in bytes of the optional \p salt. 76*62c56f98SSadaf Ebrahimi * \param ikm The input keying material. 77*62c56f98SSadaf Ebrahimi * \param ikm_len The length in bytes of \p ikm. 78*62c56f98SSadaf Ebrahimi * \param[out] prk A pseudorandom key of at least md.size bytes. 79*62c56f98SSadaf Ebrahimi * 80*62c56f98SSadaf Ebrahimi * \return 0 on success. 81*62c56f98SSadaf Ebrahimi * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid. 82*62c56f98SSadaf Ebrahimi * \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying 83*62c56f98SSadaf Ebrahimi * MD layer. 84*62c56f98SSadaf Ebrahimi */ 85*62c56f98SSadaf Ebrahimi int mbedtls_hkdf_extract(const mbedtls_md_info_t *md, 86*62c56f98SSadaf Ebrahimi const unsigned char *salt, size_t salt_len, 87*62c56f98SSadaf Ebrahimi const unsigned char *ikm, size_t ikm_len, 88*62c56f98SSadaf Ebrahimi unsigned char *prk); 89*62c56f98SSadaf Ebrahimi 90*62c56f98SSadaf Ebrahimi /** 91*62c56f98SSadaf Ebrahimi * \brief Expand the supplied \p prk into several additional pseudorandom 92*62c56f98SSadaf Ebrahimi * keys, which is the output of the HKDF. 93*62c56f98SSadaf Ebrahimi * 94*62c56f98SSadaf Ebrahimi * \warning This function should only be used if the security of it has been 95*62c56f98SSadaf Ebrahimi * studied and established in that particular context (eg. TLS 1.3 96*62c56f98SSadaf Ebrahimi * key schedule). For standard HKDF security guarantees use 97*62c56f98SSadaf Ebrahimi * \c mbedtls_hkdf instead. 98*62c56f98SSadaf Ebrahimi * 99*62c56f98SSadaf Ebrahimi * \param md A hash function; md.size denotes the length of the hash 100*62c56f98SSadaf Ebrahimi * function output in bytes. 101*62c56f98SSadaf Ebrahimi * \param prk A pseudorandom key of at least md.size bytes. \p prk is 102*62c56f98SSadaf Ebrahimi * usually the output from the HKDF extract step. 103*62c56f98SSadaf Ebrahimi * \param prk_len The length in bytes of \p prk. 104*62c56f98SSadaf Ebrahimi * \param info An optional context and application specific information 105*62c56f98SSadaf Ebrahimi * string. This can be a zero-length string. 106*62c56f98SSadaf Ebrahimi * \param info_len The length of \p info in bytes. 107*62c56f98SSadaf Ebrahimi * \param okm The output keying material of \p okm_len bytes. 108*62c56f98SSadaf Ebrahimi * \param okm_len The length of the output keying material in bytes. This 109*62c56f98SSadaf Ebrahimi * must be less than or equal to 255 * md.size bytes. 110*62c56f98SSadaf Ebrahimi * 111*62c56f98SSadaf Ebrahimi * \return 0 on success. 112*62c56f98SSadaf Ebrahimi * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid. 113*62c56f98SSadaf Ebrahimi * \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying 114*62c56f98SSadaf Ebrahimi * MD layer. 115*62c56f98SSadaf Ebrahimi */ 116*62c56f98SSadaf Ebrahimi int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk, 117*62c56f98SSadaf Ebrahimi size_t prk_len, const unsigned char *info, 118*62c56f98SSadaf Ebrahimi size_t info_len, unsigned char *okm, size_t okm_len); 119*62c56f98SSadaf Ebrahimi 120*62c56f98SSadaf Ebrahimi #ifdef __cplusplus 121*62c56f98SSadaf Ebrahimi } 122*62c56f98SSadaf Ebrahimi #endif 123*62c56f98SSadaf Ebrahimi 124*62c56f98SSadaf Ebrahimi #endif /* hkdf.h */ 125